Certified Information Security Manager (CISM) — Question 13

Which of the following BEST provides an information security manager with sufficient assurance that a service provider complies with the organization's information security requirements?

Answer options

• A. A live demonstration of the third-party supplier's security capabilities
• B. The ability to audit the third-party supplier's IT systems and processes
• C. Third-party security control self-assessment results
• D. An independent review report indicating compliance with industry standards

Correct answer: B

Explanation

The ability to audit the third-party supplier's IT systems and processes (option B) offers the most comprehensive assurance, as it allows direct verification of compliance with the organization's security requirements. While live demonstrations (option A), self-assessment results (option C), and independent review reports (option D) provide useful insights, they do not offer the same level of thorough examination and validation of security practices as an audit does.